From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 01 Mar 2010 08:39:13 -0500
Subject: [refpolicy] Possible regression and bug in
	userdom_base_user_template
In-Reply-To: <20100301102220.GF3990@myhost.felk.cvut.cz>
References: <20100301102220.GF3990@myhost.felk.cvut.cz>
Message-ID: <4B8BC381.8060601@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/01/2010 05:22 AM, Michal Svoboda wrote:
>
> Christopher J. PeBenito wrote:
>    
>> The Fedora list is more appropriate for this discussion, as these rules
>> are specific to the Fedora policy.
>>      
> Okay, it seems so, thanks. But the usr_t rule remains in refpolicy too.
> Is the reasoning here the same? That is
>
> Daniel J Walsh wrote:
>    
>>     Executing usr_t is not that big of a security risk.
>>      
> ... because from the purity point of view it would seem that usr_t
> should be a label of read only, non-executable files.
>
> Michal Svoboda
>    
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>    
Yes if my goal was to have anyone who uses an SELinux system, to totally 
understand the difference, but my goal is to have the largest possible 
segment of computer users gain some protection for SELinux.  Forcing 
them to label every package in the world correctly or blowing up the 
application for very little increased security is just nuts.

Right now I have SELinux usage in Fedora at > 70%  If I turned off 
unconfined_t and unconfined initrc_t and started preventing execution of 
usr_t, I would bet that number would collapse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100301/1f7b49ee/attachment.html